Anyone can comment on a bug. Have a simpler test case? Does it
work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please
!

Your email address:MUST BE VALID

Solve the problem:18 + 3 = ?

Subscribe to this entry?

[2015-08-25 04:36 UTC] neal at fb dot com

Description:
------------
This issue is somewhat similar to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658 but more limited: it only allows you to create new directories, not files.
Inside php_zip.c there's a function called php_zip_make_relative_path which is used to sanitize the file path when extracting a file/directory from a ZIP. When extracting a file the sanitized pathname is used, so files are only created inside of the directory where they're being extracted. However, for directories, the unsanitized/user-provided "file" value is used instead of the sanitized"path_cleaned" value (https://github.com/php/php-src/blob/026b41ba664bd8f76d6d201d7af8e70c8b650194/ext/zip/php_zip.c#L172-L176). As a result, a directory can be created outside of the directory where a ZIP file is being extracted.
Compared to CVE-2008-5658 this is a much more minor issue since it is limited to the creation of directories rather than files. This issue appears to have been previously reported as #67996 but was closed as not a bug.
Test script:
---------------
<?php
$archive = new ZipArchive();
$archive->open('a.zip',ZipArchive::CREATE);
$archive->addEmptyDir("../down2/");
$archive->close();
$archive2 = new ZipArchive();
$archive2->open('a.zip');
$archive2->extractTo('.');
$archive2->close();
Expected result:
----------------
A directory called down2 is created inside of .
Actual result:
--------------
A directory called down2 is created inside of the parent directory.

From CVE assign response:
Use CVE-2014-9767 for this issue that was apparently disclosed in
https://bugs.php.net/bug.php?id=67996 in 2014. The issue could be
relevant in cases where, for example:
- a parent directory is on a filesystem that can't support many
inodes, and the attacker can cause a DoS by creating thousands of
empty directories there
- a parent directory is served by the web server and allows a full
directory listing, and the attacker can therefore post spam in the
form of directory names